Control Administrator Access
Managing privileged passwords, including local administrator, service
account and embedded application passwords, is a challenge in most
There are often too many passwords, distributed across too
many devices, with too many inter-dependencies. As a result,
privileged passwords are often static, simple and well-known.
IT staff often retain privileged passwords long after they leave
and attackers have long time windows to attack service and application
These security problems may violate regulatory requirements for privacy
protection or transparent corporate governance.
Privileged access management
systems secure access to
administrator and other accounts with
elevated privileges on systems and applications. This is typically
done through a combination of:
- Discovering systems and applications where privileged accounts
- Extracting a list of accounts from each system.
- Applying policy to determine which accounts to manage.
- Periodically randomizing passwords to these accounts.
- Storing these random passwords in a secure
- Authenticating users who need to access these accounts.
- Applying access control policy to determine what users are allowed
access to which privileged accounts.
- Providing one or more access
disclosure mechanisms to connect
approved users to privileged accounts.
- Controlling how many users may concurrently sign into the same
- Logging and reporting on this access.
Hitachi ID Privileged Access Manager secures privileged accounts across the IT landscape and
at large scale:
- It periodically randomizes passwords to privileged accounts.
- Users must sign into Privileged Access Manager before they can access
privileged accounts. This is an excellent opportunity to require
strong, multi-factor authentication. This also allows organizations
to apply a central authorization policy -- who is allowed access
to which account, when and from where?
- Privileged Access Manager launches login sessions on behalf of users,
without displaying passwords -- single sign-on.
- Privileged login sessions can be recorded, including screen
capture and keyboard capture. This creates strong accountability
and forensic audit trails.
Return to Identity Management Concepts